EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSL Handshake with Client Certificate

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
Posted: 03/02/2009 21:43:57
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I am using SSLSecureBlackbox on a VB6 client. I have an OpenSSL server written in C. The server is setup to require client certs. On the client side i am loading the clint.pem file using LoadFromBufferPEM.
I do this on the Client_OnCertificateNeededEx event.

If sendcert Then
   Set SSLCertificate = CreateObject("BaseBBox6.ElCertificateX")
   Call OpenFileForRead(infile, App.Path + "\client.pem")
   Size = LOF(infile)
   Call BlockRead(infile, Buf, Size)
   Close infile
   Call SSLCertificate.LoadFromBufferPEM(Buf, "password")

   Set Certificate = SSLCertificate
   sendcert = False
   Set Certificate = Nothing
End If

The server throws an error
74034:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2564:

Is there anything else i should do to send down the cert?

Posted: 03/02/2009 23:31:39
by Ken Ivanov (EldoS Corp.)

It is likely that the client.pem file does not contain a private key (or the password provided is not valid). If you are sure that it is there, please check if SimpleSSLDemo is able to authentication with your certificate.
Posted: 03/03/2009 08:43:36
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I tried the SimpleSSLDemo project. it did not work. i get the same error. I also created a PKCS12 file this time using the command
openssl pkcs12 -export -in clientcert.pem -inkey clientkey.pem -out client.pfx

The client.pfx contains both the cert and the key.
Posted: 03/03/2009 08:57:04
by Ken Ivanov (EldoS Corp.)

Can you please check the SSLCertificate.PrivateKeyExists property right after the certificate is loaded?
Posted: 03/03/2009 09:02:04
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

Yes, the Property is set to TRUE
Posted: 03/03/2009 09:24:22
by Ken Ivanov (EldoS Corp.)

The server may require a complete certificate chain to be provided (up to the root CA certificate). Did you have a chance to try to connect to the server with some other client software?

BTW, please check that TLS1.1 and TLS1.2 versions are disabled on a client, as some servers have difficulties with understanding them.
Posted: 03/03/2009 10:21:38
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I have a client written in C which uses OpenSSL and that can load the client cert and send it to the server.

I disabled the TLS options
Client.DisableVersion SB_TLS_11
Client.DisableVersion SB_TLS_12

It did not work
Posted: 03/03/2009 12:59:24
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

I was able to get that working.
I recreated my certs using the following. Might help others.

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
cat server.crt server.key > server.pem
openssl x509 -subject -issuer -noout -in server.pem
cat ca.crt ca.key > ca.pem
openssl x509 -subject -issuer -noout -in ca.pem
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out client.pfx
cat client.crt client.key > client.pem
openssl x509 -subject -issuer -noout -in client.pem

Posted: 03/09/2009 15:05:32
by Sandeep Mohan (Standard support level)
Joined: 02/25/2009
Posts: 46

How to send the client certificate using the EISecureClient for ActiveX. The EISecureClient fires OnCertificateNeededEx event, but since this is not implemented in EISecureClient, how do i acheive this.
I also looked at the SopisticatedSSLClient example.
Posted: 03/10/2009 10:01:36
by Ken Ivanov (EldoS Corp.)

OnCertificateNeededEx is actually supported by ElSecureClientX (it is a documentation issue). I have reported the problem to the techwriter.
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.



Topic viewed 2673 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!